Safe Campaign Compromises Over 12,000 Unique IPs

Whether considered advanced persistent threats (APTs) or malware-based espionage attacks, successful and long-term compromises of high-value organizations and enterprises worldwide by a consistent set of campaigns cannot be ignored. Because “noisier” campaigns are becoming increasingly well-known within the security community, new and smaller campaigns are beginning to emerge.

This research paper documents the operations of a campaign we refer to as “Safe,” based on the names of the malicious files used. It is an emerging and active targeted threat that is known to have compromised government ministries, technology companies, media outlets, academic research institutions, and non-governmental organizations While we have yet to determine the campaign’s total number of victims, it appears that nearly 12,000 unique IP addresses spread over more than 100 countries were connected to two sets of command-and-control (C&C) infrastructures related to Safe. We also discovered that the average number of actual victims remained at 71 per day, with few if any changes from day to day. This indicates that the actual number of victims is far less than the number of unique IP addresses. Due to large concentrations of IP addresses within specific network blocks, it is likely that the number of victims is even smaller and that they have dynamically assigned IP addresses, which have been compromised for some time now.

Investigating targeted campaigns involves more than simply collecting actionable indicators like malware samples and C&C server information. Investigating and monitoring the activities of the Safe campaign over time, we were able to take advantage of the mistakes the attackers made and thus gain a deeper understanding of their operations. One of the C&C servers was set up in such a way that the contents of the directories were viewable to anyone who accessed them. As a result, not only were we able to determine who the campaign’s victims were, but we were also able to download backup archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.

The author of the malware used in the campaign is probably a professional software developer who studied at a technical university in China. This individual appears to have repurposed legitimate source code from an Internet services company in the same country for use as part of the campaign’s C&C server code. As such, this may be a case in which a malware entrepreneur’s code was used in targeted attacks.

In addition to understanding the tools and techniques used in this campaign, we had the opportunity to analyze the data to determine its source. While the information that we obtained suggested the identity of the malware author, we were not able to attribute the campaign operation to him. In fact, while we were able to identify the various IP addresses used by the operators, the geographic diversity of the proxy servers and VPNs made it difficult to determine their true origin.

Safe Campaign Quick Profile:

First Seen: The Safe campaign was first seen on October 2012.

Victims and Targets: The Safe campaign was able to compromise government ministries, technology companies, media outlets, academic research institutions, and nongovernmental organizations. Furthermore, it was discovered that the average number of actual victims remained at 71 per day, with few if any changes from day to day

Operations: The Safe campaign attackers used spear-phishing emails with malicious attachments. Attackers used several malicious documents that all exploited a Microsoft Office® vulnerability (i.e., CVE-2012-0158). If opened with a version of Microsoft Word® that is not up-to-date, a malicious payload is silently installed on the user’s computer.

In addition, one of the C&C servers used in the Safe campaign was set up in such a way that the contents of the directories were viewable to anyone who accessed them.

Possible Indicators of Compromise Below is a list of the components of the Safe campaign.

Network traffic identifiers:

Network traffic going to mongolbaatarsonin.in

Network traffic going to withoutcake.com

Network traffic going to mongolbaatar.us

Network traffic going to getapencil.com

User-agent identified as “Fantasia”

Communication with any URL with the sub-URL, /safe/record.php

Host-based identifiers:

Presence of SafeExt.dll on the host (commonly found in %Program Files%\Internet Explorer\SafeNET\)

Presence of SafeCredential.DAT on the host (commonly found in %Program Files%\Internet Explorer\SafeNet\)

Presence of the directory, %Program Files%\Internet Explorer\SafeNet\

Modification of certain registry values

Malware files:

TROJ_FAKESAFE.SMA

TROJ_DROPER.SMA

TROJ_DROPDET.A

TROJ_MDROP.DET

ADW_ADSTART

TROJ_CONNECT.DET

* More information on the Safe campaign can be seen in the Trend Micro research paper, “Safe: A Targeted Threat.”